March 28, 2023

ESET researchers recognized an lively StrongPity marketing campaign distributing a trojanized model of the Android Telegram app, introduced because the Shagle app – a video-chat service that has no app model

ESET researchers recognized an lively marketing campaign that we’ve got attributed to the StrongPity APT group. Lively since November 2021, the marketing campaign has distributed a malicious app by an internet site impersonating Shagle – a random-video-chat service that gives encrypted communications between strangers. Not like the totally web-based, real Shagle website that doesn’t supply an official cell app to entry its companies, the copycat website solely offers an Android app to obtain and no web-based streaming is feasible.

Key factors of the blogpost:

  • Just one different Android marketing campaign has been beforehand attributed to StrongPity.
  • That is the primary time that the described modules and their performance have been documented publicly.
  • A copycat web site, mimicking the Shagle service, is used to distribute StrongPity’s cell backdoor app.
  • The app is a modified model of the open-source Telegram app, repackaged with StrongPity backdoor code.
  • Based mostly on similarities with earlier StrongPity backdoor code and the app being signed with a certificates from an earlier StrongPity marketing campaign, we attribute this risk to the StrongPity APT group.
  • StrongPity’s backdoor is modular, the place all obligatory binary modules are encrypted utilizing AES and downloaded from its C&C server, and has varied spying options.

The malicious app is, in truth, a completely useful however trojanized model of the professional Telegram app, nevertheless, introduced because the non-existent Shagle app. We are going to check with it because the pretend Shagle app, the trojanized Telegram app, or the StrongPity backdoor in the remainder of this blogpost. ESET merchandise detect this risk as Android/StrongPity.A.

This StrongPity backdoor has varied spying options: its 11 dynamically triggered modules are accountable for recording cellphone calls, gathering SMS messages, lists of name logs, contact lists, and way more. These modules are being documented for the very first time. If the sufferer grants the malicious StrongPity app accessibility companies, considered one of its modules will even have entry to incoming notifications and can be capable of exfiltrate communication from 17 apps resembling Viber, Skype, Gmail, Messenger in addition to Tinder.

The marketing campaign is probably going very narrowly focused, since ESET telemetry nonetheless doesn’t determine any victims. Throughout our analysis, the analyzed model of malware accessible from the copycat web site was not lively anymore and it was not doable to efficiently set up it and set off its backdoor performance as a result of StrongPity hasn’t obtained its personal API ID for its trojanized Telegram app. However that may change at any time ought to the risk actor determine to replace the malicious app.


This StrongPity marketing campaign facilities round an Android backdoor delivered from a website containing the phrase “dutch”. This web site impersonates the professional service named Shagle at In Determine 1 you possibly can see the house pages of each web sites. The malicious app is offered straight from the impersonating web site and has by no means been made accessible from the Google Play retailer. It’s a trojanized model of the professional Telegram app, introduced as if it had been the Shagle app, though there may be at the moment no official Shagle Android app.

Determine 1. Evaluating the professional web site on the left and the copycat on the proper

As you possibly can see in Determine 2, the HTML code of the pretend website contains proof that it was copied from the professional website on November 1st, 2021, utilizing the automated software HTTrack. The malicious area was registered on the identical day, so the copycat website and the pretend Shagle app might have been accessible for obtain since that date.

Determine 2. Logs generated by the HTTrack software recorded within the pretend web site’s HTML code


On July 18th, 2022, considered one of our YARA guidelines at VirusTotal was triggered when a malicious app and a hyperlink to an internet site mimicking had been uploaded. On the similar time, we had been notified on Twitter about that pattern, though it was mistakenly attributed to Bahamut. ESET telemetry information nonetheless doesn’t determine any victims, suggesting the marketing campaign is prone to have been narrowly focused.


The APK distributed by the copycat Shagle web site is signed with the identical code-signing certificates (see Determine 3) as a trojanized Syrian e-gov app found in 2021 by Trend Micro, which was additionally attributed to StrongPity.

Determine 3. This certificates signed the pretend Shagle app and the trojanized Syrian e-gov app

Malicious code within the pretend Shagle app was seen within the earlier cell marketing campaign by StrongPity, and implements a easy, however useful, backdoor. We have now seen this code getting used solely in campaigns carried out by StrongPity. In Determine 4 you possibly can see a few of the added malicious lessons with most of the obfuscated names even being the identical within the code from each campaigns.

Determine 4. Class identify comparability of the trojanized Syrian e-gov app (left) and the trojanized Telegram app (proper)

Evaluating the backdoor code from this marketing campaign to that from the trojanized Syrian e-gov app (SHA-1: 5A5910C2C9180382FCF7A939E9909044F0E8918B), it has prolonged performance however with the identical code getting used to offer related capabilities. In Determine 5 and Determine 6 you possibly can examine the code from each samples that’s accountable for sending messages between parts. These messages are accountable for triggering the backdoor’s malicious conduct. Therefore, we strongly consider that the pretend Shagle app is linked to the StrongPity group.

Determine 5. Message dispatcher accountable for triggering malicious performance within the trojanized Syrian e-gov app

Determine 6. Message dispatcher accountable for triggering malicious performance within the pretend Shagle app

Technical evaluation

Preliminary entry

As described within the Overview part of this blogpost, the pretend Shagle app has been hosted on the Shagle copycat web site, from which victims had to decide on to obtain and set up the app. There was no subterfuge suggesting the app was accessible from Google Play and we have no idea how potential victims had been lured to, or in any other case found, the pretend web site.


In keeping with the outline on the copycat web site, the app is free and supposed for use to fulfill and chat with new individuals. Nevertheless, the downloaded app is a maliciously patched Telegram app, particularly Telegram model 7.5.0 (22467), which was accessible for obtain round February 25th, 2022.

The repackaged model of Telegram makes use of the identical bundle identify because the professional Telegram app. Package deal names are imagined to be distinctive IDs for every Android app and have to be distinctive on any given gadget. Which means that if the official Telegram app is already put in on the gadget of a possible sufferer, then this backdoored model can’t be put in; see Determine 7. This may imply considered one of two issues – both the risk actor first communicates with potential victims and pushes them to uninstall Telegram from their gadgets whether it is put in, or the marketing campaign focuses on international locations the place Telegram utilization is uncommon for communication.

Determine 7. If the official Telegram app is already put in on the gadget, the trojanized model can’t be efficiently put in

StrongPity’s trojanized Telegram app ought to have labored simply because the official model does for communication, utilizing normal APIs which are properly documented on the Telegram web site – however the app doesn’t work anymore, so we’re unable to test.

Throughout our analysis, the present model of malware accessible from the copycat web site was not lively anymore and it was not doable to efficiently set up it and set off its backdoor performance. After we tried to enroll utilizing our cellphone quantity, the repackaged Telegram app couldn’t acquire the API ID from the server, and therefore didn’t work correctly. As seen in Determine 8, the app displayed an API_ID_PUBLISHED_FLOOD error.

Determine 8. Error displayed throughout sign-up utilizing cellphone quantity

Based mostly on Telegram’s error documentation, plainly StrongPity hasn’t obtained its personal API ID. As an alternative, it has used the pattern API ID included in Telegram’s open-source code for preliminary testing functions. Telegram displays API ID utilization and limits the pattern API ID, so its use in a launched app leads to the error seen in Determine 8. Due to the error, it’s not doable to enroll and use the app or set off its malicious performance anymore. This may imply that StrongPity operators didn’t assume this by, or maybe there was sufficient time to spy on victims between publishing the app and it being deactivated by Telegram for APP ID overuse. Since no new and dealing model of the app was ever made accessible by the web site, it’d counsel that StrongPity efficiently deployed the malware to its desired targets.

Because of this, the pretend Shagle app accessible on the pretend web site on the time of our analysis was not lively anymore. Nevertheless, this may change anytime ought to the risk actors determine to replace the malicious app.

Parts of, and permissions required by, the StrongPity backdoor code are appended to the Telegram app’s AndroidManifest.xml file. As might be seen in Determine 9, this makes it simple to see what permissions are obligatory for the malware.

Determine 9. AndroidManifest.xml with parts and permissions of the StrongPity backdoor highlighted

From the Android manifest we will see that malicious lessons had been added within the org.telegram.messenger bundle to look as a part of the unique app.

The preliminary malicious performance is triggered by considered one of three broadcast receivers which are executed after outlined actions – BOOT_COMPLETED, BATTERY_LOW, or USER_PRESENT. After the primary begin, it dynamically registers further broadcast receivers to watch SCREEN_ON, SCREEN_OFF, and CONNECTIVITY_CHANGE occasions. The pretend Shagle app then makes use of IPC (interprocess communication) to speak between its parts to set off varied actions. It contacts the C&C server utilizing HTTPS to ship primary details about the compromised gadget and receives an AES-encrypted file containing 11 binary modules that shall be dynamically executed by the dad or mum app; see Determine 10. As seen in Determine 11, these modules are saved within the app’s inside storage, /information/person/0/org.telegram.messenger/information/.li/.

Determine 10. StrongPity backdoor receives an encrypted file that accommodates executable modules

Determine 11. Modules obtained from the server saved within the StrongPity backdoor’s inside storage

Every module is accountable for completely different performance. The record of the module names is saved in native shared preferences within the sharedconfig.xml file; see Determine 12.

Modules are dynamically triggered by the dad or mum app every time obligatory. Every module has its personal module identify and is accountable for completely different performance resembling:

  • libarm.jar (cm module) – information cellphone calls
  • libmpeg4.jar (nt module) – collects textual content of incoming notification messages from 17 apps
  • native.jar (fm/fp module) – collects file record (file tree) on the gadget
  • cellphone.jar (ms module) – misuses accessibility companies to spy on messaging apps by exfiltrating contact identify, chat message, and date
  • sources.jar (sm module) – collects SMS messages saved on the gadget
  • companies.jar (lo module) – obtains gadget location
  • systemui.jar (sy module) – collects gadget and system info
  • timer.jar (ia module) – collects a listing of put in apps
  • toolkit.jar (cn module) – collects contact record
  • watchkit.jar (ac module) – collects a listing of gadget accounts
  • wearkit.jar (cl module) – collects a listing of name logs

Determine 12. Record of modules utilized by the StrongPity backdoor

All obtained information is saved within the clear in /information/person/0/org.telegram.messenger/databases/outdata, earlier than being encrypted utilizing AES and despatched to the C&C server, as you possibly can see in Determine 13.

Determine 13. Encrypted person information exfiltrated to the C&C server

This StrongPity backdoor has prolonged spying options in comparison with the primary StrongPity model found for cell. It will probably request the sufferer to activate accessibility companies and achieve notification entry; see Determine 14. If the sufferer allows them, the malware will spy on incoming notifications and misuses accessibility companies to exfiltrate chat communication from different apps.

Determine 14. Malware requests, from the sufferer, notification entry and accessibility companies

With notification entry, the malware can learn obtained notification messages coming from 17 focused apps. Here’s a record of their bundle names:

  • Messenger (com.fb.orca)
  • Messenger Lite (com.fb.mlite)
  • Viber – Protected Chats And Calls (com.viber.voip)
  • Skype (
  • LINE: Calls & Messages (
  • Kik — Messaging & Chat App (
  • tango-live stream & video chat (com.sgiggle.manufacturing)
  • Hangouts (
  • Telegram (org.telegram.messenger)
  • WeChat (
  • Snapchat (
  • Tinder (com.tinder)
  • Hike Information & Content material (com.bsb.hike)
  • Instagram (
  • Twitter (
  • Gmail (
  • imo-Worldwide Calls & Chat (

If the gadget is already rooted, the malware silently tries to grant permissions to WRITE_SETTINGS, WRITE_SECURE_SETTINGS, REBOOT, MOUNT_FORMAT_FILESYSTEMS, MODIFY_PHONE_STATE, PACKAGE_USAGE_STATS, READ_PRIVILEGED_PHONE_STATE, to allow accessibility companies, and to grant notification entry. The StrongPity backdoor then tries to disable the SecurityLogAgent app (, which is an official system app that helps shield the safety of Samsung gadgets, and disables all app notifications coming from the malware itself that is likely to be exhibited to the sufferer sooner or later in case of app errors, crashes, or warnings. The StrongPity backdoor doesn’t itself attempt to root a tool.

The AES algorithm makes use of CBC mode and hardcoded keys to decrypt the downloaded modules:

  • AES key – aaaanothingimpossiblebbb
  • AES IV – aaaanothingimpos


The cell marketing campaign operated by the StrongPity APT group impersonated a professional service to distribute its Android backdoor. StrongPity repackaged the official Telegram app to incorporate a variant of the group’s backdoor code.

That malicious code, its performance, class names, and the certificates used to signal the APK file, are the identical as from the earlier marketing campaign; thus we consider with excessive confidence that this operation belongs to the StrongPity group.

On the time of our analysis, the pattern that was accessible on the copycat web site was disabled as a result of API_ID_PUBLISHED_FLOOD error, which ends up in malicious code not being triggered and potential victims presumably eradicating the non-working app from their gadgets.

Code evaluation reveals that the backdoor is modular and extra binary modules are downloaded from the C&C server. Which means that the quantity and kind of modules used might be modified at any time to suit the marketing campaign requests when operated by the StrongPity group.

Based mostly on our evaluation, this seems to be the second model of StrongPity’s Android malware; in comparison with its first model, it additionally misuses accessibility companies and notification entry, shops collected information in a neighborhood database, tries to execute su instructions, and for many of the information assortment makes use of downloaded modules.



SHA-1 File identify ESET detection identify Description
50F79C7DFABECF04522AEB2AC987A800AB5EC6D7 video.apk Android/StrongPity.A StrongPity backdoor (professional Android Telegram app repackaged with malicious code).
77D6FE30DAC41E1C90BDFAE3F1CFE7091513FB91 libarm.jar Android/StrongPity.A StrongPity cell module accountable for recording cellphone calls.
5A15F516D5C58B23E19D6A39325B4B5C5590BDE0 libmpeg4.jar Android/StrongPity.A StrongPity cell module accountable for gathering textual content of obtained notifications.
D44818C061269930E50868445A3418A0780903FE native.jar Android/StrongPity.A StrongPity cell module accountable for gathering a file record on the gadget.
F1A14070D5D50D5A9952F9A0B4F7CA7FED2199EE cellphone.jar Android/StrongPity.A StrongPity cell module accountable for misusing accessibility companies to spy on different apps.
3BFAD08B9AC63AF5ECF9AA59265ED24D0C76D91E sources.jar Android/StrongPity.A StrongPity cell module accountable for gathering SMS messages saved on the gadget.
5127E75A8FAF1A92D5BD0029AF21548AFA06C1B7 companies.jar Android/StrongPity.A StrongPity cell module accountable for acquiring gadget location.
BD40DF3AD0CE0E91ACCA9488A2FE5FEEFE6648A0 systemui.jar Android/StrongPity.A StrongPity cell module accountable for gathering gadget and system info.
ED02E16F0D57E4AD2D58F95E88356C17D6396658 timer.jar Android/StrongPity.A StrongPity cell module accountable for gathering a listing of put in apps.
F754874A76E3B75A5A5C7FE849DDAE318946973B toolkit.jar Android/StrongPity.A StrongPity cell module accountable for gathering the contacts record.
E46B76CADBD7261FE750DBB9B0A82F262AFEB298 watchkit.jar Android/StrongPity.A StrongPity cell module accountable for gathering a listing of gadget accounts.
D9A71B13D3061BE12EE4905647DDC2F1189F00DE wearkit.jar Android/StrongPity.A StrongPity cell module accountable for gathering a listing of name logs.


IP Supplier First seen Particulars
141.255.161[.]185 NameCheap 2022-07-28 intagrefedcircuitchip[.]com C&C
185.12.46[.]138 Porkbun 2020-04-21 networksoftwaresegment[.]com C&C

MITRE ATT&CK methods

This desk was constructed utilizing version 12 of the MITRE ATT&CK framework.

Tactic ID Identify Description
Persistence T1398 Boot or Logon Initialization Scripts The StrongPity backdoor receives the BOOT_COMPLETED broadcast intent to activate at gadget startup.
T1624.001 Occasion Triggered Execution: Broadcast Receivers The StrongPity backdoor performance is triggered if considered one of these occasions happens: BATTERY_LOW, USER_PRESENT, SCREEN_ON, SCREEN_OFF, or CONNECTIVITY_CHANGE.
Protection Evasion T1407 Obtain New Code at Runtime The StrongPity backdoor can obtain and execute further binary modules.
T1406 Obfuscated Information or Info The StrongPity backdoor makes use of AES encryption to obfuscate downloaded modules and to cover strings in its APK.
T1628.002 Cover Artifacts: Person Evasion The StrongPity backdoor can disable all app notifications coming from the malware itself to cover its presence.
T1629.003 Impair Defenses: Disable or Modify Instruments If the StrongPity backdoor has root it disables SecurityLogAgent ( if current.
Discovery T1420 File and Listing Discovery The StrongPity backdoor can record accessible information on exterior storage.
T1418 Software program Discovery The StrongPity backdoor can acquire a listing of put in functions.
T1422 System Community Configuration Discovery The StrongPity backdoor can extract IMEI, IMSI, IP tackle, cellphone quantity, and nation.
T1426 System Info Discovery The StrongPity backdoor can extract details about the gadget together with kind of web connection, SIM serial quantity, gadget ID, and customary system info.
Assortment T1417.001 Enter Seize: Keylogging The StrongPity backdoor logs keystrokes in chat messages and name information from focused apps.
T1517 Entry Notifications The StrongPity backdoor can acquire notification messages from 17 focused apps.
T1532 Archive Collected Knowledge The StrongPity backdoor encrypts exfiltrated information utilizing AES.
T1430 Location Monitoring The StrongPity backdoor tracks gadget location.
T1429 Audio Seize The StrongPity backdoor can document cellphone calls.
T1513 Display Seize The StrongPity backdoor can document gadget display utilizing the MediaProjectionManager API.
T1636.002 Protected Person Knowledge: Name Logs The StrongPity backdoor can extract name logs.
T1636.003 Protected Person Knowledge: Contact Record The StrongPity backdoor can extract the gadget’s contact record.
T1636.004 Protected Person Knowledge: SMS Messages The StrongPity backdoor can extract SMS messages.
Command and Management T1437.001 Software Layer Protocol: Net Protocols The StrongPity backdoor makes use of HTTPS to speak with its C&C server.
T1521.001 Encrypted Channel: Symmetric Cryptography The StrongPity backdoor makes use of AES to encrypt its communication.
Exfiltration T1646 Exfiltration Over C2 Channel The StrongPity backdoor exfiltrates information utilizing HTTPS.